# # TLS - Transport Layer Security (SSL) # # nginx/1.11.6 # OpenSSL 1.0.2g 1 Mar 2016 # Specifies the enabled ciphers. The ciphers are specified in the format # understood by the OpenSSL library. # Default: ssl_ciphers HIGH:!aNULL:!MD5; ssl_ciphers 'kEECDH+aECDSA+CHACHA20:kEECDH+aRSA+CHACHA20:kEDH+aRSA+CHACHA20:kEECDH+aECDSA+AESGCM:kEECDH+aRSA+AESGCM:kEDH+aRSA+AESGCM:kEECDH+aECDSA+AES:kEECDH+aRSA+AES:kEDH+aRSA+AES:-AESCCM:-AES256:+SHA1'; # # Diffie-Hellman ephemeral key exchange parameters # Specifies a file with DH parameters for DHE ciphers. # Should be at least the size of the public RSA key # Default: ssl_dhparam /etc/ssl/dhparams/dh_4096.pem; # # The curve used for Elliptic Curve encryption. # Specifies a curve for ECDHE ciphers. # Default: ssl_ecdh_curve auto; ssl_ecdh_curve secp384r1; # # Specifies that server ciphers should be preferred over client ciphers when # using the SSLv3 and TLS protocols. # Default: ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers on; # # Enables (or disables) the specified protocols. # Don't use SSLv2 and SSLv3 # Default: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # # Enables or disables session resumption through TLS session tickets (RFC5077). # Default: ssl_session_tickets on; #ssl_session_tickets on; # # Optimize SSL by caching session parameters. This cuts down on # the number of expensive SSL handshakes. The handshake is the most # CPU-intensive operation, and by default it is re-negotiated on every # new/parallel connection. # # Time during which a client may reuse a cached TLS session without re- # negotiation. # Default: ssl_session_timeout 5m; ssl_session_timeout 1d; # # Further optimization can be achieved by raising keepalive_timeout. # Time during which a client connection will stay open on the server side. # The optional second parameter sets a value in the “Keep-Alive: timeout=time” # response header field. # # Set in configuration file 20_limits.conf